Posts

Showing posts from June, 2020

Threat Actors Phishing Airbnb Users For Fraud

Image
During my daily monitoring, I uncovered a number of Airbnb phishing pages harvesting user account credentials. This got me thinking about the types of fraud targeting Airbnb users and the hosts. Airbnb is not a typical target for phishing, compared to the vast number of phishing pages targeting banks, HMRC, DVLA, and mobile carriers. However, it can be a profitable venture for cybercriminals if they can phish the right account. 
I also identified one phishing page that was aiming to bypass SMS two-factor authentication (2FA). The first page takes the email and password (see here) and the second acquires the SMS code (see here). For this attack, the operators only have a limited amount of time to swipe the credentials and input the 2FA code before it expires (typically around 10 minutes). If successful, the attackers are fully authenticated and can change the password.
Indicators of Compromise (IOCs):
 TypeIndicator  Domain     abn.co-host-listing-49461[.]casa Domainabn.co-host-listing-24…

CobaltStrike: The Penetration Testing Framework & Our Adversaries

Image
CobaltStrike is an advanced penetration testing framework and threat emulation software that was built by Red Teamers for Red Teamers, but is more than often used by our adversaries too. It was designed as a full-scope engagement tool that is supposed to be used to improve security of organisations by identifying weaknesses. However, because it is extremely “hacker friendly” it has been stolen and adopted by organised cybercrime gangs and advanced persistent threat (APT) groups alike. 
CobaltStrike itself is an interesting tool that was built on top of and expands upon the Metasploit framework. It has streamlined penetration testing by automating the Metasploit processes and adding additional modules.
Key features of CobaltStrike (mainly taken from the website):Reconnaissance - profile systems and find their weaknesses. Footprint Operating Systems and discover running services and applications.Access - credential access, bypass authentication, Man-in-the-Middle attacks, social engineeri…

Deep-dive: The DarkHotel APT

Image
PART 1: DARKHOTEL
DarkHotel is a sophisticated and active advanced persistent threat (APT) group. It’s highly capable and is known for finding and taking advantage of previously unknown vulnerabilities in common software also known as a 0day. It is a well-established group that has been active since 2007, are known Korean-speakers, and are working on behalf of a nation state. 
DarkHotel was first disclosed in 2014 and is also known as DUBNIUM, Black Shop, Fallout Team, Karba, Luder, Nemim, Nemain, Tapaoux, Pioneer, Shadow Crane, APT-C-06, and TUNGSTEN BRIDGE. From the NSA’s sigs.py script (also known as Territorial Dispute or TeDi) DarkHotel is signature number 25 (SIG25). Malware associated with DarkHotel includes Asruex, Parastic Beast, Inexsmar, Retro backdoor, Gh0st RAT, and the new Ramsay toolkit. Vulnerabilities leveraged in its 0day exploits include CVE-2018-8174, CVE-2018-8373, CVE-2019-1458, CVE-2019-13720, CVE-2019-17026, and CVE-2020-0674. DarkHotel also often exploits CVE-20…

The Joker Trojan plays the Google PlayStore

Image
The Joker Trojan (also known as the Bread Trojan) is an Android dropper with spyware capabilities. It is often hidden within advertisements to trick users into clicking on and downloading the malware. Usually, it only targets SIM cards with specific country codes, geo-fencing the victims. It is used by financial attackers to harvest a user's device information, contact list, text messages, and will sign them up to premium subscriptions.
APK Lab recently disclosed that two available apps that contain the Joker Trojan managed to sneak past protection systems and were uploaded to the Google Play Store. The apps containing the Trojan, called ‘Speed Message’ and ‘Botmatic Messages’, currently have over 11,000 installs combined:
VirusTotal Graph:
Once installed, the malware contacts the attacker’s C2 server and pulls the malicious payload. Further investigation into the IP address of the attacker’s C2 server led me to find three more apps, called ‘Playful Game Station’, ‘Watch SMS’, and ‘H…